Ponemon study identifies criminal attacks as leading cause of breaches

HIM-HIPAA Insider, May 11, 2015

Criminal attacks on the healthcare industry have increased 125% since 2010, making these attacks the leading cause of data breaches in the industry, according to the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare, sponsored by ID Experts®. The goal of the study is to determine what organizations are doing to protect the privacy and security of PHI and what challenges they may face in doing so, according to Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

The study reports on the responses of 90 covered entities (CE), and for the first time includes responses from 88 business associates (BA). The Ponemon Institute conducts as many as 20 separate interviews with each CE and BA involved in the study, Dr. Ponemon says.

“This year, we did a couple things that are new and that I think are very exciting,” Dr. Ponemon says. “We included a companion sample of BAs, because traditionally our focus has been on healthcare providers and mainly CEs.” The Ponemon Institute opted to include responses from BAs because of the enhanced role BAs now play in the healthcare industry with regard to regulations outlined in the HIPAA omnibus rule. In addition, the institute increased its focus on security incidents when surveying respondents. In the past, the study primarily focused on data leakage, he says.

Rick Kam,CIPP/US, president and co-founder of ID Experts, found the responses from BAs to be one of the most intriguing elements of the study. “BAs are relatively new to complying with HIPAA and HITECH, and so they’re not necessarily directing all of the appropriate resources to protect data, and that’s why you see quite a few of them having issues,” he says.

Although criminal attacks have been highlighted in the annual study for five years, 2015 marks the first year that these attacks were listed as the top cause of data breaches. Nearly half (45%) of healthcare organizations surveyed listed criminal attacks as the top cause of data breaches, compared to 39% of BAs. Medical identity theft not only has financial repercussions, but has the potential to compromise the accuracy of patients’ records, which can ultimately harm the patient, Kam says.

More than 90% of CEs surveyed experienced a data breach, and more than 40% experienced one within the last five years. More specifically, 65% of CEs said they experienced security incidents within the last two years involving the exposure, theft, or misuse of electronic information. The majority of respondents (96% of CEs and 95% of BAs) have experienced an incident involving lost or stolen devices. The study revealed that the average cost of a breach at a healthcare organization is more than $2.1 million, whereas the average cost for BAs is more than $1 million.

Although the CEs and BAs surveyed are aware of cyber threats, many reported that they lack the funding and resources to adequately protect patient data. “Both CEs and BAs acknowledged that they have inadequate funding for security, data protection, and privacy initiatives,” Dr. Ponemon says. “And 50% of both groups said that they have no confidence in their organization’s ability to protect patient data loss or theft.”

For example, 58% of CEs and 50% of BAs indicated that they have policies and procedures in place to prevent or detect unauthorized access to PHI, but just 49% of CEs and 46% of BAs reported having technology that sufficiently identifies these threats. Similarly, 50% of CEs and just 42% of BAs reported that their organization completed a four-factor risk assessment as required by the HIPAA omnibus rule following a security incident involving ePHI. However, 70% of CEs surveyed and 51% of BAs reported their greatest concern is negligent and careless employees.

“In the world of security, these organizations are struggling,” Dr. Ponemon says. “But the good news is that it seems like there are signs of improvement. These organizations seem to be doing more and better things than they did five years ago.”

*MAGNET™, MAGNET RECOGNITION PROGRAM®, and ANCC MAGNET RECOGNITION® are trademarks of the American Nurses Credentialing Center (ANCC). The products and services of HCPro are neither sponsored nor endorsed by the ANCC. The acronym "MRP" is not a trademark of HCPro or its parent company.